The update includes patches for two flaws that are already being exploited in the wild, one of which was being used by an advanced persistent threat (APT) attack group to target Windows users through Internet Explorer (IE).

The IE attacks were revealed in April by the Qihoo 360 Core Security team, which said a “double kill” vulnerability bundled with malicious Office documents was being used to compromise IE users on a “global scale”. Victims that opened the Office document would silently be infected via a malicious webpage opened in the background.

Microsoft at the time didn't confirm the vaguely detailed bug but now appears to have filled in a few gaps in an advisory that credits Qihoo 360 Core Security.

Microsoft says a remote code execution vulnerability lies in the Windows VBScript engine, potentially allowing an attacker to execute arbitrary code and gain full control of the system if the user was logged in as an administrator.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website,” Microsoft notes in an advisory for the bug CVE-2018-8174.

“An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.”

Microsoft has also released a fix for a bypass vulnerability in a Windows security feature called Device Guard that notably affects devices in Windows 10 S locked-down mode.

Researchers at Google’s Project Zero revealed the Device Guard bypass on April 19 following failed attempts by Microsoft to negotiate a deferral of disclosure until the Windows 10 April 2018 Update, which was first released to Windows 10 users on April 30.

Microsoft was unable to provide a fix prior to Project Zero’s 90 day deadline and had also asked Google not to disclose the bug until its May Patch Tuesday release.

Though it's one more instance of the two tech giants locking horns over disclosure norms, it's not a dangerous bug. Google rated the issue as a “medium” severity issue in part because other un-patched bypasses are publicly known while Microsoft rated the issue as “important”. It has been assigned the vulnerability identifier CVE-2018-1039.

“To exploit the vulnerability, an attacker would first have to access the local machine, and then run a malicious program,” Microsoft said in its advisory. The patch addresses the .NET framework issue in Windows 10 through to Windows 7 and Windows Server 2016 to Windows Server 2012.

The other flaw that has been exploited in the wild prior to today’s updates relates to a Win32k vulnerability that allows an attacker to elevate privileges.

“An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft notes.

Latest Videos

​Email fraud is nothing new, but online criminals have become ever more-effective at spoofing their identities to trick employees into sending them money. The Australian Centre for Cyber Security (ACSC) recorded losses of over $20M to business email compromise (BEC) attacks last year alone, up 230 percent over the previous year – and the full amount is certain to be much larger.​

No matter how robust your security, or how diligent your employees, network credentials are a free pass for cybercriminals. This is mostly because employees are relied upon for their own password management. And with more than 4.8 billion sets of stolen credentials said to be available online, odds are that at least a few of your employees’ user IDs and passwords are just waiting to be used by unscrupulous outsiders. Are you ready to stop them?

Cyber resilience will be particularly important as Australian organisations face increased pressure to quickly detect, respond to, and manage the repercussions of breaches in the wake of 2018’s Notifiable Data Breaches (NDB) scheme.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.